Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-2hu2-v4hy-r3gf
Vulnerability ID VCID-2hu2-v4hy-r3gf
Aliases CVE-2025-14874
GHSA-rcmh-qjqh-p98v
Summary A flaw was found in Nodemailer. This vulnerability allows a denial of service (DoS) via a crafted email address header that triggers infinite recursion in the address parser.
Status Published
Exploitability 0.5
Weighted Severity 8.0
Risk 4.0
Affected and Fixed Packages Package Details
Weaknesses (3)
CWE-703 Improper Check or Handling of Exceptional Conditions
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
cvssv3 7.5 https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-14874.json
cvssv3.1 7.5 https://access.redhat.com/security/cve/CVE-2025-14874
generic_textual HIGH https://access.redhat.com/security/cve/CVE-2025-14874
ssvc Track https://access.redhat.com/security/cve/CVE-2025-14874
epss 0.00219 https://api.first.org/data/v1/epss?cve=CVE-2025-14874
epss 0.00219 https://api.first.org/data/v1/epss?cve=CVE-2025-14874
cvssv3.1 7.5 https://bugzilla.redhat.com/show_bug.cgi?id=2418133
generic_textual HIGH https://bugzilla.redhat.com/show_bug.cgi?id=2418133
ssvc Track https://bugzilla.redhat.com/show_bug.cgi?id=2418133
cvssv3.1_qr HIGH https://github.com/advisories/GHSA-rcmh-qjqh-p98v
cvssv3.1 7.5 https://github.com/nodemailer/nodemailer
generic_textual HIGH https://github.com/nodemailer/nodemailer
ssvc Track https://github.com/nodemailer/nodemailer
cvssv3.1 7.5 https://github.com/nodemailer/nodemailer/commit/b61b9c0cfd682b6f647754ca338373b68336a150
generic_textual HIGH https://github.com/nodemailer/nodemailer/commit/b61b9c0cfd682b6f647754ca338373b68336a150
ssvc Track https://github.com/nodemailer/nodemailer/commit/b61b9c0cfd682b6f647754ca338373b68336a150
cvssv3.1 7.5 https://github.com/nodemailer/nodemailer/security/advisories/GHSA-rcmh-qjqh-p98v
cvssv3.1_qr HIGH https://github.com/nodemailer/nodemailer/security/advisories/GHSA-rcmh-qjqh-p98v
generic_textual HIGH https://github.com/nodemailer/nodemailer/security/advisories/GHSA-rcmh-qjqh-p98v
ssvc Track https://github.com/nodemailer/nodemailer/security/advisories/GHSA-rcmh-qjqh-p98v
cvssv3.1 7.5 https://nvd.nist.gov/vuln/detail/CVE-2025-14874
generic_textual HIGH https://nvd.nist.gov/vuln/detail/CVE-2025-14874
Reference id Reference type URL
https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-14874.json
https://api.first.org/data/v1/epss?cve=CVE-2025-14874
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-14874
1123669 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1123669
b61b9c0cfd682b6f647754ca338373b68336a150 https://github.com/nodemailer/nodemailer/commit/b61b9c0cfd682b6f647754ca338373b68336a150
cpe:/a:redhat:acm:2 https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:/a:redhat:acm:2
cpe:/a:redhat:ceph_storage:8 https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:/a:redhat:ceph_storage:8
cpe:/a:redhat:rhdh:1 https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:/a:redhat:rhdh:1
CVE-2025-14874 https://access.redhat.com/security/cve/CVE-2025-14874
CVE-2025-14874 https://nvd.nist.gov/vuln/detail/CVE-2025-14874
GHSA-rcmh-qjqh-p98v https://github.com/advisories/GHSA-rcmh-qjqh-p98v
GHSA-rcmh-qjqh-p98v https://github.com/nodemailer/nodemailer/security/advisories/GHSA-rcmh-qjqh-p98v
nodemailer https://github.com/nodemailer/nodemailer
show_bug.cgi?id=2418133 https://bugzilla.redhat.com/show_bug.cgi?id=2418133
No exploits are available.
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-14874.json
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://access.redhat.com/security/cve/CVE-2025-14874
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-12-18T14:32:42Z/ Found at https://access.redhat.com/security/cve/CVE-2025-14874
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://bugzilla.redhat.com/show_bug.cgi?id=2418133
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-12-18T14:32:42Z/ Found at https://bugzilla.redhat.com/show_bug.cgi?id=2418133
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://github.com/nodemailer/nodemailer
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-12-18T14:32:42Z/ Found at https://github.com/nodemailer/nodemailer
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://github.com/nodemailer/nodemailer/commit/b61b9c0cfd682b6f647754ca338373b68336a150
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-12-18T14:32:42Z/ Found at https://github.com/nodemailer/nodemailer/commit/b61b9c0cfd682b6f647754ca338373b68336a150
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://github.com/nodemailer/nodemailer/security/advisories/GHSA-rcmh-qjqh-p98v
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-12-18T14:32:42Z/ Found at https://github.com/nodemailer/nodemailer/security/advisories/GHSA-rcmh-qjqh-p98v
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://nvd.nist.gov/vuln/detail/CVE-2025-14874
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.44584
EPSS Score 0.00219
Published At June 11, 2026, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2026-06-11T17:03:04.535330+00:00 Vulnrichment Import https://github.com/cisagov/vulnrichment/blob/develop/2025/14xxx/CVE-2025-14874.json 38.6.0